Mmm, the same port version though? 5.0.1? From what I can see that fix should be in 5.0.1_1 and that hasn't arrived in FreeBSD yet. How are you querying the agent?

@admintkh said in Hugh CPU Load after Upgrade to 2.6.0: https://redmine.pfsense.org/issues/12045 You mean these commits? b5d787d93b3d83f28e87e1f8cc740cb160f8f0ac 0020c845a086766b3315372f006363f8ad76ac54 d97753b5c8f1d32fbcdcbb0d129b49f808245865 3bea7b5b05f200df4cabee12e405b8feade16f0e 89d5cbb82294c8624e66f920d50353057ccab14b That's shouldn't be necessary or even possible in 2.6. Steve

@stephenw10 I have a Cisco switch here and port mirroring with it is a pain. I created a data tap, with a cheap 5 port managed switch.

@stephenw10 said in DNS Resolver: It looks like you have something set that means it's to do a reverse lookup on all IPs. Anything that doesn't resolve is shown in that form which is why you're seeing a whole bunch of 'in-addr.arpa' logs. I think you are on to something here, "all the IP's"... which do seem to be spread across the world, and made me think of pfBlocker... Which in fact seems to be what is behind most of it (could Suricata be the other??). Anyway, I quickly found that two of the IP's which came up 4-5 times in the last 15 minutes, and do not resolve, are on pfBlocker lists, like "pfB_Top_v4"... Yes, if an address has a PTR record then I'd expect it to show a domain there. Steve Interestingly it seems the issue with internal IP's and/or my employers site are no longer there. Not sure what I did but I was going through the settings earlier today and I think had "ignore remote DNS servers" active (under system > general). For sure it's at the default setting now, and I have to go back several hours in the logs to find those IP's in the list as in-addr.arpa... Could that setting change have made this difference? Anyhow, seem the problem is solved, or at least I have a better understanding now. I do still have to look for a simple way to skip those items in the analyzer... The output of Diag > DNS Lookup shows all configured DNS servers not just those in use by the system or by clients. That's expected. So I guess I shouldn't worry then... In fact I can of course remove those servers completely on that page and things still work.

The file is not especially large. Like of the order of 10MB. It really does seem to be the file since in the original use case the rest of the folder can be passed fine without it.

When you add policy routing by setting a gatewau (or gateway group) on the rules you force all traffic to use that route. But here you want traffic between local subnets to use the system routing not go out the WAN. So you need to add a rule above the policy routing rule to pass local traffic only. Create an alias Local_Subnets and put in it all your locally connected subnets. Then add a rule at the top of the list to pass from LANnet to Local_Subnets without a gateway set. See: https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing Steve

@peter_apiit said in Full Command to restart the networking in pfsense: become slower, so need refresh the connection Not really a thing - but ok ;) Pfsense been running for 72 days, just as fast as it was 72 days ago for "internet"..

@johnpoz fair enough then. thanks!

If their ONT uses a GPON SFP module then there's probably a reasonable chance because you can just move that to a NIC. If not you have to try and get a module that's compatible and at that point you're off the map! Steve

Satisfying when you find and fix it and everything just starts working though. Steve

In 2.6 the ix driver reports a number of additional error types in the received errors counter. Check the sysctl mactstats for more detailed breakdown. sysctl dev.ix.0.mac_stats Steve

The pfSense docs is the place to start. You can also check out our back catalogue of video hangouts here: https://www.youtube.com/c/netgateofficial Steve

Leaving the password empty in the wizard does not change the password. It leaves the current password in place. Your existing username and password would not have been changed by the wizard if that were the case.

@johnpoz You've modded a special pfSense theme ?

@gertjan thank you guys... much appreciated - away at work so need to test over weekend, will report back!

If you want the changes to be present for everyone, you can edit them into /etc/skel/dot.<blah> where <blah> is profile, shrc, or tcshrc.

@gimpymoo I have a custom built appliance, specs as below: Intel G5400 4GB RAM SSD Intel Dual GB NIC If these are still your system specs, simply swapping the Intel Dual GB NIC for something like this will do it. Unless you've got extra card slots, then just add one for some extra ports. https://www.newegg.com/p/pl?d=intel+x540+dual+port+10gbe+nic Just watch out for counterfeit cards...

@stephenw10 Sure I can grab it and put on a test box but it will take a day or so. I will post back here as soon as I have an answer.

No problem. If you're able to test it I'm sure others would find that useful.

@stephenw10 said in Router setup for weirdos like me: @fireix said in Router setup for weirdos like me: Ok, so you mean that it is the best solution? That's what I would choose over anything else if it's available. You absolutely can configure pfSense as a transparent firewall if you need to it just requires some care. There is no 'transparent mode' button. It's easy to lock yourself out if the firewall if you don't have a separate management interface. Steve Having a seperate IPMI-network comes in handy in those situations :) For not-that-technical users, I would think it would be a very welcoming thing to have an easy method to enable transparent fw. But having tons of public webservers maybe not the exact average users do. Thanks for your help and advice :)